This new article discusses the first Tab in the Template Editor, which is dedicated to creating and modifying the various entities that are used within the model.

The Tab shows a two levels tree, with the first level defining the basic entities, and the second level the specialized ones. In other words, you will find in the first level items like the Generic Process, the Generic External Interactor and so on. Please consider that this series of articles is not about the basic concepts of Threat Modeling: you should already know what a Process is.

Under the Generic entities, you will find the specialized entities, like the OS Process, the Thread, the Web Application and so on.

You can create your base entity, if you want: you are not limited to the pre-defined ones.

If you select an entity in the tree, you will find in the right pane its definition, and you will be able to change it.

The properties of the entities, are:

Name: it identifies the entity itself. It does not uniquely identify the entity, though: you may be able to create two entities with the same Name; it will create some errors in the Messages Tab, which is the 4th Tab, as shown in the image below.

Description: the description of the entity.

Behavior: it allows to specify the type of entity: is it a Flow? A Boundary? Or a common entity, that is also known as a Target.

Shape: it allows to specify the variant of the type defined with the Behavior. For example, the Target can assume the shape of an Ellipse (for the Processes), a Rectangle (for the External Interactors), or of two parallel lines (for the Data Storages). The Flow can only be a line, and the Boundaries can be Line or Rectangle.

Width: it allows to specify the width of the lines.

Dash: defines the type of the lines to show. If absent, the default dash is applied.

You can also define properties associated to an entity. Each property has multiple pre-defined values: the first one is considered the default value. You can add properties through the Add Property button. Properties are used to decide if a Threat should be generated automatically or not, therefore they play an important role.

Specialized entities are exactly the same as the base entities, but they allow constraining the value of properties to specific values. You can also add new Properties, but you cannot modify the properties defined in the base entity.

Disclaimer

The author of this Blog, Simone Curzi, has been a Senior Consultant and Delivery Architect in Microsoft Consulting Services (MCS) Italy for more than 6 years and has spent a total of 15 year as a Consultant in MCS. After having spent 2 years as a Security Premier Field Engineer for Microsoft Proactive Services (CSS), he has recently joined Microsoft Global CyberSecurity Practice (GCP) as Senior Consultant.
Simone is also the Leader of Microsoft Technical Community for Application Security.
The content published here express his own personal opinions only. By any means they do not necessarily reflect Microsoft's assessments or persuasions around Security or any other topic discussed in this Site. Microsoft has not participated directly or indirectly to the preparation of the current Site, for example by providing any resource other than paying for the salary.
The content is based on public information and sanitized experiences: it will not contain Microsoft Internal-Only material nor information traceable to actual Customers, even if someone could occasionally recognize himself or herself.